Over the past few months, I have written about the threat first identified by the Institute for Critical Infrastructure Technology (ICIT) called disruptionware. We have previously described what disruptionware is, how it works, and outlined some of the defenses that can be used to defend against a multitude of disruptionware attacks. Many may have thought the immediate notifications of the threat posed by this new concept of disruptionware had been adequately made public and sufficiently identified. Unfortunately, disruptionware continues to impact new sectors.
According to ICIT, disruptionware is an evolving category of malware designed to “suspend operations within the victim organization through the compromise of the availability, integrity and confidentiality of the data, systems, and networks belonging to the target.” Recently, ICIT identified a new threat from disruptionware that will likely have a seriously adverse effect on the American energy sector. ICIT goes so far as to refer to disruptionware in the context of an attack on the U.S. energy grid as a “weapon of mass destruction.”
Disruptionware attacks not only the traditional “IT” networks of a victim, but their “operational technology” (OT) networks as well. We discussed varying disruptionware “modes of attack” here. The main attack vectors include:
- Bricking capabilities
- Automated Components
- Data Exfiltration Tools and
- Network Reconnaissance Tools
It appears that cyber threat actors now understand that the American Energy sector is particularly susceptible to a disruptionware attack. The energy grid may be vulnerable because it was initially designed and built without cybersecurity in mind. According to ICIT, “cyber security was not one of the three founding principles of the American energy distribution network.” Many of the networks still use are “antiquated legacy systems” that result in under-protected and “semi modern” technology. ICIT opines that “all of the power generation facilities, transmission networks, distribution nodes, network operations, and consumer endpoints that interconnect to form the energy sector are susceptible to disruptionware attacks.”
One reason the energy sector is so susceptible to disruptionware attacks is because it heavily relies on OT networks as part of their infrastructure. OT networks are more amenable to less sophisticated, easily available cyberattack such as ransomware. According to the Cybersecurity and Infrastructure Security Agency (CISA), there are many forms of ransomware that are designed to specifically disrupt operations by organizations using OT networks and devices. In a recent energy sector attack, CISA noticed that the threat actor deployed ransomware to encrypt data on both of the victim’s networks. CISA noted that the attacker succeeded because the victim lacked “robust segmentation” between its IT and OT networks, thereby “allowing the adversary to traverse the IT-OT boundary and disable Windows-based assets on both networks with a commodity ransomware.” This forced the victim energy company to physically shut down their physical operations for over two days.
Disruptionware attacks have grown at an exponential pace over the last couple of years, especially with the variety and effectiveness of many types of ransomware. Originally, many thought that these attacks were pervasively focused on the health care industry and government facilities as a general rule. It now appears that the rules of the game may be changing, and the American energy grid may be one of the next victims. Affected organizations in the sector are well-advised to take reasonable steps to upgrade the security of their energy grids now to guard against disruptionware.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.